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OfficeConnect Internet 
Firewall Virtual Private 
Network Services 



This chapter contains the following: 

■ Introduction to Virtual Private Networks (VPN) 

■ VPN Applications 

■ Basic Terms and Concepts 



Introduction to Virtual Private Networks 

Virtual Private Networks (VPN) provide an easy, affordable 
and secure means for businesses to conduct operations 
and provide network connectivity to all offices and 
partners. Using the intuitive 3Com® Web interface on the 
Firewall, a secure connection may be established between 
two or more sites. 

Data that is intended for delivery to a remotely connected 
site is automatically encrypted. The data is delivered via the 
Web and de-crypted at the intended destination. 

The OfficeConnect® Internet Firewall VPN uses the IPSec 
VPN standard. This guarantees compliance with other VPN 
products, such as 3Com Pathbuilder 400, 3Com 
Superstack® 3 Firewall and Check Point Firewall-1 that 
adhere to the same standard. 



VPN Applications 

The following illustration demonstrates several common 
VPN applications. 
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Figure 1 Virtual Private Networks Applications 




■ Linking two or more Private Networks Together 

VPN is the perfect way to connect branch offices and 
business partners to the primary business. Using VPN 
over the Internet, instead of leased site-site lines, offers 
significant cost savings and improved performance. 

■ Using the IRE VPN Client for Secure Remote 
Management 

Using the included IRE VPN client for Windows, a 
secure, encrypted tunnel may be created that allows the 
administrator to remotely manage the OfficeConnect 
Internet Firewall over the Internet. 

■ Accessing Machines Using Private Addressing behind 
NAT 

When NAT (Network Address Translation) is enabled, 
remote users are not able to access hosts on the LAN 
unless the host is designated a Public LAN Server for 
that specific protocol. Since the VPN Tunnel terminates 
inside the LAN, remote users will be able to access all 
computers that use private IP addresses on the LAN. 



Basic VPN Terms and Concepts 
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Basic VPN Terms and Concepts 

Before configuring the OfficeConnect Internet Firewall's 
VPN feature, it is important to understand the following 
basic terms and concepts. 

■ VPN Tunnel 

Tunnelling is the encapsulation of point-point 
transmission inside IP packets. A VPN Tunnel is a term 
that is used to describe a connection between two or 
more private nodes or LANs over a public network, 
typically the Internet. Encryption is often used to 
maintain the confidentiality of private data when 
travelling over the Internet. 

■ Security Association/Policy 

The Security Association/Policy is the particular setting 
needed to configure a VPN Tunnel. 

■ Encryption 

Encryption is a mathematical operation that transforms 
data from "clear text" (something that a human or a 
program can interpret) to "cipher text" (something that 
cannot be interpreted). Usually the mathematical 
operation requires that an alphanumeric "key" be 
supplied along with the clear text. The key and clear 
text are processed by the encryption operation which 
leads to the data scrambling that makes encryption 
secure. Decryption is the opposite of encryption: it is the 
mathematical operation that transforms cipher text to 
clear text. Decryption also requires a key. 
> Key 

A key is an alphanumeric string that is used by the 
encryption operation to transform clear text into cipher 
text. Keys used in VPN communications can range in 
length, but are typically 1 6 or 32 characters. The longer 
the key, the more difficult it is to break the encryption. 
The reason for this is most methods used to break 
encryption involve trying every possible combination of 
characters, similar to trying to open a safe when the 
combination is not known. 
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■ Asymmetric vs. Symmetric Cryptography 
Asymmetric and symmetric cryptography refers to the 
keys used to authenticate, or encrypt and decrypt the 
data. 

Asymmetric cryptography does not use the same key to 
verify the data. Asymmetric cryptography is often 
referred to as public key cryptography. With public key, 
each user gets a pair of keys, one called the public key 
and the other called the private key. The private key is 
always linked mathematically to the public key to be 
kept secret. All communications involve only public 
keys; the private key is never transmitted or shared, but 
used to decrypt the message. A user can generate their 
own keys using key generation software, or have keys 
generated by trusted organizations. Once a key has 
been generated, the user must register his or her public 
key with a central administration, called a Certifying 
Authority (CA). Organizations, such as RSA Data 
Security and Verisign, can help users issue and register 
key pairs. 

The OfficeConnect Internet Firewall VPN uses 
Symmetric Cryptography. As a result, the key on both 
ends of the VPN tunnel must match exactly. 

■ Authentication Header (AH) 

The Authentication Header is a mechanism for 
providing strong integrity and authentication for IP 
packets. Confidentiality and protection from traffic 
analysis are not provided by the Authentication Header. 

The IP Authentication Header provides security by 
adding authentication information to an IP packet. This 
authentication information is calculated using all header 
and payload data in the IP packet. This provides 
significantly more security that is currently present in IP. 
Use of AH will increase the processing requirements in 
the Firewall and will also increase the communication 
latency. The increased latency is primarily due to the 
calculation and comparison of the authentication data 
by the receiver for each IP packet containing an 
Authentication Header. 



Basic VPN Terms and Concepts 
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Data Encryption Standard (DES) - Medium 
Speed/Medium Security 

When DES is used for data communications, both 
sender and receiver must know the same secret key, 
which can be used to encrypt and decrypt the message, 
or to generate and verify a message authentication 
code. 3Com's implementation of DES uses a 56-bit key. 

3Com's DES Key must be exactly 1 6 characters long and 
is comprised of hexadecimal characters. Valid 
hexadecimal characters are "0" to "9", and "a" to "f" 
inclusive 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f. For example, a 
valid key would be 0123456789abcdef. 

Strong Encryption (Triple DES or 3 DES) - Slow 
Speed/Maximum Security 

Strong Encryption, or Triple DES (3DES) is a variation on 
DES that uses a 168-bit key. As a result, 3DES is 
dramatically more secure than DES, and is considered to 
be virtually unbreakable by security experts. It also 
requires a great deal more processing power, resulting 
in increased latency and decreased throughput. 

The 3DES Key must be exactly 24 characters long and is 
comprised of hexadecimal characters. Valid hexadecimal 
characters are "0" to "9", and "a" to "f" inclusive 
0,1, 2,3,4,5,6,7, 8,9,a,b,c,d,e,f. For example, a valid key 
would be 01 23456789abcdef 12345678. 

ARCFour - Fast Speed/Medium Security 

ARCFour (ARC4) is used for communications with 
secure Web Sites using the SSL protocol. Many banks 
use a 40-bit key ARC4 for online banking while others 
use a 128-bit key. 3Com's implementation of ARCFour 
uses a 56-bit key. 

ARCFour is faster than DES for several reasons. First is 
that it is a newer encryption mechanism than DES. As a 
result, it benefits from advances in encryption 
technology. Second, unlike DES, it is designed to 
encrypt data streams, rather than static storage. DES 
has achieved much of its popularity because it is well 
known and has been proven to be very robust. 
ARCFour, while theoretically as secure as 56bit DES, 
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does not have the long history that leads to the wide 
acceptance by security professionals. 
3Com's ARCFour Key must be exactly 1 6 characters 
long and is comprised of hexadecimal characters. Valid 
hexadecimal characters are "0" to "9", and "a" to "f" 
inclusive 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f. For example, a 
valid key would be 0123456789abcdef. 

■ Tunnel Only - Very Fast Speed/No Security 

The data is not encrypted. It is used for connecting two 
private networks without security. 

■ Security Parameter Index (SPI) 

The SPI is used to establish a VPN tunnel. The SPI is 
transmitted from the remote Firewall to the local 
Firewall. The local Firewall then uses the network, 
encryption and key values from the administrator 
associated with the SPI to establish the tunnel. 

The SPI must be unique, is from one to eight characters 
long, and is comprised of hexadecimal characters. Valid 
hexadecimal characters are "0" to "9", and "a" to "f" 
inclusive 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f. For example, 
valid SPIs would be 999, or 1 234abcd. 



The range from "0" to "f" inclusive, is reserved by the 



Internet Engineering Task Force (IETF) and are not allowed 



for use as an SPI. They will not be accepted by the Firewall 
when entered as an SPI; an error message will be displayed 
at the bottom of the Web browser window when the 
Update button is pressed. 

m Security Association (SA) 

A Security Association is the group of security settings 
relating to a given network connection or set of 
connections. The Security Association is based on the 
SPI, and includes the Destination Address Range, IPSec 
gateway Address, Encryption method, Encryption Key 
and Authentication Key. 




2 Virtual Private 
Network Configuration 



This chapter contains the following: 

■ Registering the VPN Upgrade 

■ Enabling VPN on the OfficeConnect Internet Firewall 

■ Configuring Firewall VPN between Two OfficeConnect 
Internet Firewall Gateways 

■ Configuring OfficeConnect Internet Firewall for use 
with VPN Client 

■ Using OfficeConnect Internet Firewall with Check Point 
Firewall-1 



Registering the VPN Upgrade 

The United States Department of Commerce restricts 
distribution of any product containing software encryption 
technology. As a result, it is necessary to first register the 
VPN Upgrade before the VPN functionality within the 
Firewall can be activated. 

This procedure describes the process of registering the 
OfficeConnect® Internet Firewall (OCIF) VPN Upgrade. 

1 Using a Web browser, open: 

http : / /www . 3com . com/ internetf irewall 

and click the Activate VPN Upgrade link. 

2 Key in the following into the Activation Key field: 

■ Your OfficeConnect Internet Firewall serial number, 
which can be found on the bottom of your Firewall. 

■ The 9-digit key shown on the back cover of this manual 
and click the Submit button. 

The operation will take a few seconds to complete. Once 
completed, a message confirming the registration will be 
displayed in the Web browser window, along with an 
activation key that needs to be entered into the Firewall. 
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Print this page or make a note of the upgrade key displayed 
as you will need this to enable VPN in your Firewall. 



Installing and Activating VPN Firmware 

If you have a Firmware version earlier than 5.0.8, you will 
need to upgrade the Firmware on your Firewall. The 
Firmware version can be checked by logging into the 
Firewall and clicking on Unit Status. 

Full details of how to upgrade the Firmware are contained 
in chapter 4 of the manual that accompanied your Firewall. 

1 To activate the VPN, log into the Firewall and click the 
button labeled VPN on the left side of the browser window. 
A window similar to Figure 2 will be displayed: 

Figure 2 VPN Registration Window 





Enter upgrade key: ) 
Check with 3Com Corpor 



ir details on upgrading. 



Enter the upgrade key exactly as shown on the VPN 
activation confirmation page and click the Update button. 

Note that upgrade keys are case sensitive and that you 
must enter lower case alphabetic characters. 

A message confirming the upgrade will be displayed at the 
bottom of the screen. If an error message is displayed, 
make sure that the Caps Lock key is switched off and try 
again. 
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Enabling VPN on the OfficeConnect Internet Firewall 

This section describes steps required for enabling VPN 
functions on the OfficeConnect Internet Firewall. 

1 Click the tab labeled VPN on the left side of the browser 
window. 

2 Click the tab labeled VPN Summary to the right of the 
3Com banner. A window similar to Figure 3 appears. 

Figure 3 VPN Summary Window 



I j VPM Summary 

Current IPSec Si 




The VPN Summary window allows the administrator to 
enable VPN, Disable NetBIOS broadcasts and view all the 
current VPN Security Associations. 

Enter a unique, descriptive identifier for your 
OfficeConnect Internet Firewall in the Unique Firewall 
Identifier field, for example, Santa Clara. 

The Unique Firewall Identifier field is used to identify your 
Firewall when one end of a VPN tunnel has a dynamically 
assigned IP address. 

To enable VPN connections, check the Enable VPN 
checkbox and click the Update button. 

The operation will take a few seconds to complete. Once 
completed a message confirming the update will be 
displayed at the bottom of the screen. 

Now you will need to set up the Security Associations. 
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5 A Renegotiate button appears in the VPN Summary 
window when an IKE VPN tunnel is active. Clicking the 
Renegotiate button initiates the VPN handshake and the 
exchange of new encryption and authentication keys. 
The Renegotiate button will not appear if the Security 



Association's IPSec gateway has been set to 0.0.0.0. 



6 Once a VPN Security Association has been configured, it 
appears in the Current IPSec Security Associations section 
of the VPN Summary window. Clicking the Name of the 
Security Association, displays the VPN configuration for 
that Security Association. 

Connecting to an Existing Firewall 



When connecting to an existing Firewall, you will require 
the following information from the Network administrator 
before you can configure the Security Association: 

■ Firewall Identifier 

■ Key Exchange Method 

■ Destination Network Address 

■ Subnet Mask 

■ Shared Secret Information 

■ Manual Keys (only for manual keying) 
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Configuring Firewall VPN between Two OfficeConnect 
Internet Firewall Gateways 

Setting up VPN between two OfficeConnect Internet 
Firewall VPN gateways or an OfficeConnect Internet 
Firewall and a SuperStack® 3 Firewall allows users to 
connect to a remote LAN using NAT. The first step in setting 
up a VPN between the two Firewall gateways is to create 
corresponding Security Associations on the two Firewalls. 
The instructions below describe how to do the following 
for Firewall A: 

■ Create a Security Association Using Internet Key 
Exchange (recommended) 

■ Create a Security Association Using Manual Keying 
Figure 4 VPN Configure Window (top) 



J VPN Summary \ ' VPN Configure ' 

Add/Modify IPSec Security Associations 




STATUS: 



Creating a Security Association Using Internet Key Exchange 
for Firewall A 

Follow the instructions below to create a new Security 
Association using Internet Key Exchange (IKE). 

1 Click the tab labeled VPN on the left side of the browser 
window. 

2 Click the tab labeled VPN Configure to the right of the 
3Com banner. 
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3 Select Add New Security Association from the Security 
Association menu of Firewall A. 

4 IPSec Keying Mode - Select IKE from the IPSec Keying 
Modes menu. Note: This is the default setting. 

5 SA Name - Enter a descriptive name for the Security 
Association (SA) being created, such as Salt Lake. Note that 
this name needs to match the remote VPN gateway ID 
(Unique Firewall Identifier for 3Com Firewall B) exactly if 
one end of the tunnel has a dynamic IP address. A typical 
set up is shown in Figure 5. 



Figure 5 Typical Configuration using two Firewalls 




192.168.2.20 192.168.1.10 



6 Enable Windows Networking - Do the following: 

■ Check the Enable Windows Networking (NetBIOS) 
Broadcast checkbox to enable Windows Networking 
broadcasts. 

■ The Disable all Windows Networking (NetBIOS) 
broadcast checkbox on the VPN Summary tab must be 
unchecked to pass broadcasts. See Figure 3 on page 13. 




The VPN Client will not allow broadcasts. 



7 Destination Network - Enter the IP address of the 
destination network. This address will be the LAN IP 
address of Firewall B. 
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8 Destination Subnet Mask - Enter the subnet mask of the 
destination network. 

9 IPSec Gateway Address - Enter the IP Address of the 
remote IPSec VPN gateway (such as another 3Com Firewall 
VPN gateway). This address must be valid, and will be the 
Firewall B WAN IP address if the remote LAN has NAT 
enabled. If the remote IPSec gateway has a dynamic IP 
address, this field may be left blank providing the Security 
Association Names and Unique Firewall Identifiers match 
exactly. 

10 SA Life Time (Sees) - This field sets the length of time 
before an IKE Security Association will automatically 
renegotiate. The SA Life Time may range from 120 to 
2,500,000 seconds. 

The default time of 86,400 seconds is recommended. A 
short SA Life Time increases security by forcing the two 
VPN gateways to update encryption and authentication 
keys. However, every time the VPN renegotiates, all users 
accessing remote resources are disconnected temporarily. 

1 1 Encryption Method - The OfficeConnect Internet Firewall 
supports eight methods for establishing a VPN tunnel. If 
you are unsure which to select, refer to the VPN terms and 
concepts at the front of this manual. 

12 Shared Secret - Enter a Shared Secret in the Shared Secret 
Field. This is a predefined field that the two endpoints of a 
VPN tunnel use to set up an IKE SA. This field can be any 
combination of alphanumeric characters with a minimum 
length of 4 characters and a maximum of 1 28 characters. 
Precautions should be taken when delivering or exchanging 
this shared secret to assure that a third party cannot 
compromise the security of a VPN tunnel. 

13 Click the Update button. The operation will take a few 
seconds to complete. Once completed, a message 
confirming the update displays at the bottom of the Web 
browser window. 

14 Restart your OfficeConnect Internet Firewall for the 
changes to take effect. 

15 Now configure Firewall B, applying the same procedure as 
used for Firewall A. 
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Creating a Security Association using Manual Keying to 
Firewall A 

Follow the instructions below to create a new Security 
Association using Manual Keying. 

1 Select Add New Security Association from the Security 
Association menu of Firewall A. 

2 IPSec Keying Mode - Select Manual Keying from the IPSec 
Keying Modes menu. 

3 SA Name - Enter a descriptive name for the Security 
Association being created, such as Santa Clara Office. Note 
that this name needs to match the remote VPN gateway ID 
(Unique Firewall Identifier for 3Com Firewall B) exactly if 
one end of the tunnel has a dynamic IP address. 

4 Enable Windows Networking - Ensure the following: 

■ Check the Windows Networking (NetBIOS) broadcast 
checkbox to enable Windows Networking broadcasts. 

■ The Disable all Windows Networking (NetBIOS) 
broadcast checkbox on the VPN Summary tab is 
unchecked to pass broadcasts. 




The VPN Client will not allow broadcasts. 



Figure 6 VPN Manual Keying (top) 



Add/Modify IPSec Security Associations 

Security Association |-Add New 5A- 
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5 Destination Subnet Mask for Windows Networking 
(NetBIOS) Broadcast - If Windows Networking (NetBIOS) 
broadcasts are permitted through the OfficeConnect 
Internet Firewall, define the remote network subnet mask 
of Firewall B. 

6 Destination Address Range Begin - Enter the beginning 
IP address of the LAN for Firewall B. This address may be a 
private address if the LAN has NAT enabled. 

7 Destination Address Range End - Enter the ending IP 
address of the LAN for Firewall B. This address may be a 
private address if the LAN has NAT enabled. 

8 IPSec Gateway Address - Enter the IP Address of the 
remote IPSec VPN gateway (such as another 3Com Firewall 
VPN gateway). This address must be valid, and will be the 
Firewall B WAN IP address if the remote LAN has NAT 
enabled. If the remote IPSec gateway has a dynamic IP 
address, this field may be left blank provided the Security 
Association Names and Unique Firewall Identifiers match 
exactly. 

9 Incoming SPI - Enter the Security Parameter Index (SPI) 
that the local Firewall will receive from Firewall B to identify 
the Security Association used for the VPN tunnel. 

The SPI may be up to eight characters long and is 
comprised of hexadecimal characters. Valid hexadecimal 
characters are "0" to "9", and "a" to "f" inclusive (0, 1, 2, 
3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). 
The range from "0" to "f" inclusive, is reserved by the 
Internet Engineering Task Force (IETF) and are not allowed 
for use as an SPI. They will not be accepted by the Firewall 
when entered as an SPI; an error message will be displayed 
at the bottom of the Web browser window when the 
Update button is pressed. 

For example, a valid SPI would be 1234abcd. 
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10 Outgoing SPI - Enter the Security Parameter Index (SPI) 
that the local Firewall will transmit to Firewall B to identity 
the Security Association used for the VPN Tunnel. 

The SPI may be between two and eight characters long and 
is comprised of hexadecimal characters. Valid hexadecimal 
characters are "0" to "9", and "a" to "f" inclusive (0, 1,2, 
3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). 

The range from "0" to "f" inclusive, is reserved by the 
Internet Engineering Task Force (IETF) and are not allowed 
for use as an SPI. They will not be accepted by the Firewall 
when entered as an SPI; an error message will be displayed 
at the bottom of the Web browser window when the 
Update button is pressed. 
For example, a valid SPI would be 1234abcd. 

A Security Association's SPI must be unique when 
compared to SPI's used in other Security Associations. 
However, a Security Association's Incoming SPI may be the 
same as the Outgoing SPI. 

11 Encryption Method - The OfficeConnect Internet Firewall 
supports eight methods for establishing a VPN tunnel. If 
you are unsure which to select, refer to the VPN terms and 
concepts at the front of this manual. 

12 Encryption Key - The DES and ARCFour Keys must be 
exactly 16 characters long and are comprised of 
hexadecimal characters. Keys of less than 1 6 characters will 
not be accepted by the Firewall; an error message will be 
displayed at the bottom of the Web browser window when 
the Update button is pressed. Keys longer than 16 
characters will be truncated. Valid hexadecimal characters 
are "0" to "9", and "a" to "f" inclusive (0, 1, 2, 3, 4, 5, 6, 
7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 
1234567890abcdef. The 3DES Keys must be exactly 48 
characters long and are comprised of hexadecimal 
characters. Keys less than 48 characters will not be 
accepted by the Firewall. An error message appears at the 
bottom of the Web browser window when you click the 
Update button. Keys longer than 48 characters are 
truncated. Valid hexadecimal characters are "0" to "f" 
inclusive. 
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When a new SA is created, 16 characters of random text is 
automatically entered in the Encryption Key field. The text 
may be used as a valid key. If this random text is used, it 
must also be entered in the Encryption Key field in the 
remote VPN gateway or client. If encryption is not used, 
this field is ignored. 

13 Authentication Key - Enter an Authentication Key that is 
exactly 32 characters long and is comprised of hexadecimal 
characters. 

Keys of less than 32 characters will not be accepted by the 
Firewall; an error message will be displayed at the bottom 
of the Web browser window when the Update button is 
pressed. Keys longer that 32 characters will be truncated. 
Valid hexadecimal characters are "0" to "9", and "a" to 
"f" inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For 
example, a valid key would be 
1 234567890abcdef 1 234567890abcdef . 

14 Click the Update button. The operation will take a few 
seconds to complete. Once completed, a message 
confirming the update displays at the bottom of the Web 
browser window. 

15 Restart the Firewall for changes to take effect. 

16 Now configure Firewall B, applying the same procedure as 
used for Firewall A. 
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Creating Additional Security Associations 

Additional Security Associations may be created to link 
multiple offices or partners to the primary business. For 
example, if VPN is used to connect the organization's 
accounting firm, manufacturing facility, and shipping dock 
with headquarters, a different SA would be created to link 
each remote site. Corresponding SAs would be created on 
the remote site's Firewall VPN. 

Modifying and Deleting Existing Security Associations 

The Security Association popup menu also allows the 
administrator to modify and delete existing Security 
Associations. 

1 To delete a Security Association, select it from the menu 
and click the Delete This SA button. 

2 To modify a Security Association, select it from the menu, 
make the desired changes, and click the Update button. 
The operation will take a few seconds to complete. Once 
completed, a message confirming the update will be 
displayed at the bottom of the Web browser window. 

3 Restart the OfficeConnect Internet Firewall for changes to 
take effect. 
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Configuring OfficeConnect Internet Firewall for use with 
VPN Client 

This section covers the configuration of the OfficeConnect 
Internet Firewall VPN and the installation of the IRE VPN 
Client Software. There are several parts to this process: 

■ Simple VPN Client (recommended) 

■ Configuring a Firewall 

■ Installing IRE Client 

■ Advanced VPN Client 

■ Configuring a Firewall 

■ Installing IRE Client 

■ Manual Key VPN Client 

■ Configuring a Firewall 

■ Installing IRE Client 

With the Simple Client, all traffic is passed down the 
tunnel. In the Advanced and Manual Client, it is possible to 
determine what traffic goes down the tunnel. 

Configuring a Simple VPN Client 

Simple Configuration uses Internet Key Exchange (IKE) to 
automatically negotiate encryption and authentication 
keys. The Firewall only supports one Simple Configuration 
Security Association, but 10 clients may use this Security 
Association to create a VPN tunnel. This section describes 
how to configure and launch various features of the 
OfficeConnect Internet Firewall VPN Client. 

1 First, configure the Firewall. Click the tab labeled VPN 
Summary on the left side of the browser window. A 
window similar to Figure 7 displays. 

2 Check the Enable VPN checkbox and assign an 
alphanumeric name for the Firewall in the Unique Firewall 
Identifier field. The Unique Firewall Identifier may range 
from 4 to 32 characters in length. 

3 Make note of the Unique Firewall Identifier, as it will need 
to match the Domain Name in the Firewall VPN Client. 
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Figure 7 VPN Summary Window 




STATUS: Ready 



4 Leave the Disable all Windows Networking (NetBIOS) 
Broadcasts checkbox unchecked to allow Windows 
Networking (NetBIOS) broadcasts to pass across some or all 
VPN SAs. 

Windows Networking (NetBIOS) broadcasts may be 
transmitted between two VPN gateways but are not passed 
to the IRE VPN Client. 

5 Click the Update button. The operation will take a few 
seconds to complete. Once completed, a message 
confirming the update will be displayed at the bottom of 
the Web browser window. 

6 Click the VPN Configure tab at the top of the screen. A 
window similar to the following displays. 
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Figure 8 VPN Client Configuration 
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7 On the VPN Configure page, create a new Security 
Association by selecting Add New SA from the Security 
Association menu. 



8 Select IKE from the IPSec Keying Mode menu. 

9 Enter an SA Name that identifies the VPN client in the 
Name field, such as the client's location or name. 

10 Leave the Enable Windows Networking (NetBIOS) 
Broadcasts checkbox unchecked because the Firewall VPN 
Client will not transmit Windows Networking (NetBIOS) 
traffic. 

1 1 Leave the Destination Network, Destination Subnet Mask 
and IPSec Gateway Address fields blank. 

12 The SA Life Time (Sees) field sets the length of time before 
an IKE Security Association will automatically renegotiate. 
The SA Life Time may range from 120 to 2,500,000 
seconds. 

The default time of 86,400 seconds is recommended. A 
short SA Life Time increases security by forcing the two 
VPN gateways to update encryption and authentication 
keys. However, every time the VPN renegotiates, all users 
accessing remote resources are disconnected temporarily. 
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13 At Encryption Method, select either Encrypt and 
Authenticate (ESP DE5 HMAC MD5) for DES encryption or 
Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) 
for 3DES encryption. Refer to the VPN terms and concepts 
at the front of this manual for more details. 

14 Define a shared secret in the Shared Secret field. The 
alphanumeric shared secret must match the VPN client's 
Shared Key and may range from 8 to 128 characters in 
length. Create a Shared Secret that cannot be guessed by 
someone else; avoid using names of friends, family, pets or 
places. Instead, enter a combination of letters, numbers 
and symbols, such as"Aa8* A Hjj@e$FF#," for greater 
security. 

15 Click the Update button, once all fields are completed. 
The operation will take a few seconds to complete. Once 
completed, a message confirming the update will be 
displayed at the bottom of the Web browser window. 
Restart the Firewall for changes to take effect. 

Installing the IRE VPN Client Software 

1 Insert the CD that came with the Firewall into your 
CD-ROM Drive. 

2 Go to the VPN Client directory on the CD. 

3 Double-click setup.exe and follow the VPN client Setup 
program's step-by-step instructions. This product does not 
require any serial key for installation. 

4 Restart your computer after the VPN client Setup program 
has finished installing. 

Launching the VPN Client 

1 To launch the VPN client, select SafeNet Soft-PK from the 
Windows Start menu and select Security Policy Editor. 

2 Select New Connection in the File menu at the top of the 
Security Policy Editor window. A window similar to Figure 9 
displays. 
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Figure 9 Launching VPN Client 




the desired security policy name. 

Configuring Connection Security and Remote Identity 

1 Select Secure in the Connection Security box on the right 
side of the Security Policy Editor window. 

2 Select IP Subnet in the ID Type menu. 

3 Type the Firewall LAN IP Address in the field immediately 
below ID Type. 

4 Type the LAN Subnet Mask in the Port field. 

5 Select /W/ in the Protocol field to permit all IP traffic through 
the VPN tunnel. 

6 Check the Connect using Secure Gateway Tunnel 
checkbox. 

7 Select Domain Name in the ID Type menu at the bottom of 
the Security Policy Editor window. 

8 Enter the Firewall's Unique Firewall Identifier in the field 
directly below the ID Type menu. Note that this field is case 
sensitive. For example, Santa Clara. 

9 Enter the Firewall WAN IP Address in the IP Address field. 
Enter the LAN IP Address if Standard Mode is enabled. 
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Configuring VPN Client Security Policy 

1 Click New Connection in the Network Security Policy box 
on the left side of the Security Policy Editor window. My 
Identity and Security Policy should appear below New 
Connection. 

2 Click Security Policy in the Network Security Policy box. A 
window similar to Figure 10 will be displayed. 

3 Select Aggressive Mode in the Select Phase 1 Negotiation 
Mode box. 

4 Leave the Enable Perfect Forward Secrecy (PFS) checkbox 
unchecked. 

5 Check the Enable Replay Detection checkbox to redisplay 
auditing. 



Figure 10 VPN Client Security 




Configuring the VPN Client Identity 

1 Click My Identity in the Network Security Policy box on the 
left side of the Security Policy Editor window. A window 
similar to Figure 1 1 appears. 

2 Choose None in the Select Certificate menu on the right 
side of the VPN client window. 

3 Select Domain Name in the ID Type menu. 

4 Type Workgroup in the field below the ID Type menu. 
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5 Select PPP Adapter in the Name menu if you have a dial-up 
Internet account. Select your Ethernet adapter if you have 
dedicated Cable, ISDN or DSL line. 

6 Click the Pre-Shared Key button. 

7 Click the Enter Key button in the Pre-Shared Key dialog 
box. Then enter the Firewall's Shared Secret in the 
Pre-Shared Key field and click OK. Note that this field is 
case sensitive. 



Figure 11 VPN Client Identity 




Configuring VPN Client Authentication Proposal 

1 Double click Security Policy in the Network Security Policy 
box to display Authentication and Key Exchange. 

2 Double click Authentication. Then select Proposal I below 
Authentication. 

3 Select Pre-Shared key in the Authentication Method menu. 

4 Select DES or 3DES in the Encrypt Alg menu, depending 
which encryption method you chose in the Firewall Security 
Association. 

5 Select MD5 in the Hash Alg menu. 

6 Select Unspecified in the SA Life menu 

7 Select Diffie-Hellman Group 7 in the Key Group menu. 
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Configuring VPN Client Key Exchange Proposal 

1 Double click Key Exchange in the Network Security Policy 
box. Then select Proposal 7 below Key Exchange. 

2 Select Unspecified in the SA Life menu. 

3 Select None in the Compression menu. 

4 Check the Encapsulation Protocol (ESP) checkbox. 

5 Select DES or 3DES in the Encrypt Alg menu, depending 
which encryption method you chose in the Firewall Security 
Association. 

6 Select MD5 in the Hash Alg menu. 

7 Select Tunnel in the Encapsulation Method menu. 

8 Leave the Authentication Protocol (AH) checkbox 
unchecked. 

Configuring Global Policy Settings 

1 Select Global Policy Settings in the Options menu at the top 
of the Security Policy Editor window. Increase the 
Retransmit Interval (seconds): period to 45 and click OK. 

2 Select Save Changes in the File menu in the top left corner 
of the Security Policy Editor window. 

You have now set up the VPN Tunnel. 
After completing the VPN client configuration, the 
administrator may securely manage the remote Firewall by 
entering the Firewall LAN IP Address in a browser on the 
computer running the VPN client software. The Firewall 
VPN Client may also access remote resources by locating 
servers' or workstations' by their remote IP addresses. 

Configuring an Advanced VPN Client 

Advanced Configuration uses Internet Key Exchange (IKE) 
to negotiate encryption and authentication keys 
automatically. Advanced Configuration is similar to Simple 
Configuration, but requires a more complex set-up and is 
not recommended for most Firewall administrators. 
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The following instructions describe the configuration of the 
Firewall VPN Client. In addition, instructions for accessing 
the Firewall remotely after the VPN tunnel has been 
established are described below. 

Setting up the Firewall 

1 Click the button labeled VPN on the left side of the browser 
window and then click the tab labeled VPN Summary at the 
top of the window. 

A window similar to Figure 12 displays. 
Figure 12 Advanced VPN Configuration 
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2 Check the Enable VPN checkbox and assign an 
alphanumeric name for the Firewall in the Unique Firewall 
Identifier field. The Unique Firewall Identifier may range 
from 4 to 32 characters in length. Make note of the Unique 
Firewall Identifier, as it will be entered into the Firewall VPN 
Client. 

3 Leave the Disable all Windows Networking (NetBIOS) 
Broadcasts checkbox unchecked to allow Windows 
Networking (NetBIOS) broadcasts to pass across some or all 
VPN SAs. 

Windows Networking (NetBIOS) broadcasts may be 
transmitted between two VPN gateways but are not passed 
to the IRE VPN Client 




Chapter 2: Virtual Private Network Configuration 



4 Click the Update button. The operation will take a few 
seconds to complete. Once completed, a message 
confirming the update will be displayed at the bottom of 
the Web browser window. 

5 Click the VPN Configure tab at the top of the browser. A 
window similar to Figure 13 displays. 

Figure 13 VPN Configure Window 




6 Create a new Security Association by selecting Add New SA 
from the Security Association menu. 

7 Select IKE from the IPSec Keying Mode menu. 

8 Enter a name that identifies the VPN client in the SA Name 
field, such as the client's location or name. This name will 
also be entered in the Firewall VPN Client. 

9 Leave the Enable Windows Networking (NetBIOS) 
Broadcasts checkbox unchecked because the Firewall VPN 
Client will not transmit Windows Networking (NetBIOS) 
traffic. 

10 Enter the internal IP address of the Firewall VPN Client in 
the Destination Network field. This is an arbitrary address 
that will be assigned to the VPN client, and should be a 
private address, such as "192.168.168.1 ". 
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11 Enter the internal subnet mask of the VPN client in the 
Destination Subnet Mask field. The subnet mask 
"255.255.255.255" is recommended. 

12 Leave the IPSec Gateway Address field blank. 

13 The SA Life Time (Sees) field sets the length of time before 
an IKE Security Association will automatically renegotiate. 
The SA Life Time may range from 1 20 to 2,500,00 seconds. 

The default time of 86,400 seconds is recommended. A 
short SA Life Time increases security by forcing the two 
VPN gateways to update encryption and authentication 
keys. However, every time the VPN renegotiates, all users 
accessing remote resources are disconnected temporarily. 

14 At the Encryption Method field, select either Encrypt or 
Authenticate (ESP DES HMAC MD5) for DES encryption or 
Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) 
for 3DES encryption. 

15 Define a shared secret in the Shared Secret field. 

The alphanumeric shared secret must match the VPN 
client's Shared Key and may range from 8 to 1 28 characters 
in length. Create a Shared Secret that can not be guessed 
by someone else; avoid using names of friends, family, pets 
or places. Instead, enter a combination of letters, numbers 
and symbols, such as"Aa8* A Hjj@e$FF#," for greater 
security. 

16 Click the Update button once all fields are completed. The 
operation will take a few seconds to complete. Once 
completed, a message confirming the update displays at 
the bottom of the Web browser window. 

17 Restart the Firewall for changes to take effect. 

Launching the Firewall VPN Client 

1 Select SafeNet Soft-PK from the Windows Start menu and 
select Security Policy Editor, or double-click the icon in the 
Windows Task Bar. 

2 Select New Connection from the File menu at the top of 
the Security Policy Editor window. A window similar to 
Figure 14 displays. 
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"\ The security policy may be renamed by highlighting New 
Connection in the Network Security Policy box and typing 
the desired security policy name. 



Figure 14 New Connection Window 




Configuring Connection Security and Remote Identity 

1 Select Secure in the Connection Security box. 

2 Select IP Subnet in the ID Type menu. 

3 Type the Firewall LAN IP Address immediately below the ID 
Type field. 

4 Type the LAN Subnet Mask in the Port field. 

5 Select All in the Protocol field to permit all IP traffic through 
the VPN tunnel. 

6 Check the Connect using Secure Gateway Tunnel 
checkbox. 

7 Select Domain Name in the ID Type menu at the bottom of 
the Security Policy Editor window. 

8 Enter the Firewall's Unique Firewall Identifier in the field 
directly below the ID Type menu. Note that this field is case 
sensitive. 



9 Enter the Firewall's WAN IP Address in the IP Address Field. 
Enter the LAN IP Address if Standard Mode is enabled. 
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Configuring the VPN Client Security Policy 

1 Double click New Connection in the Network Security 
Policy box on the left side of the Security Policy Editor 
window. My Identity and Security Policy should appear 
below New Connection. 

2 Click Security Policy in the Network Security Policy box. A 
window similar to Figure 1 5 displays. 



Figure 15 Security Policy Window 




3 Select Aggressive Mode in the Select Phase 1 Negotiation 
Mode box. 

4 Leave the Enable Perfect Forward Secrecy (PFS) checkbox 
unchecked. 



5 Check the Enable Replay Detection to redisplay auditing 
messages. 

Configuring Global Policy Settings 

1 Select Global Policy Settings in the Options menu at the top 
of the Security Policy Editor window. A window similar to 
the Figure 16 displays. 
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Figure 16 Global Policy Settings Window 




2 Increase the Retransmit Interval (seconds) to 45. 

3 C heck the Allow to Specify Internal Network Address 
checkbox and click OK. 



Configuring the VPN Client Identity 

Click My Identity in the Network Security Policy box on the 
left side of the Security Policy Editor window. A window 
similar to Figure 17 displays. 

Figure 17 My Identity Window 



|SHI Security Policy Editoi 



File Edit Options Help 



Configuring OfficeConnect Internet Firewall for use with VPN Client 37 



2 Choose None in the Select Certificate menu. 

3 Select Domain Name in the ID Type menu. 

4 Enter the Name of the Firewall Security Association in the 
field below the ID Type menu. Note that this field is case 
sensitive. 

5 Select the adapter you use to access the Internet in the 
Internet Interface box. Select PPP Adapter in the Name 
menu if you have a dial-up Internet account. Select your 
Ethernet adapter if you have dedicated Cable, ISDN or DSL 
line. 

6 Click the Pre-Shared Key button. A dialog box similar to the 
following appears. Note that this field is case sensitive. 

7 Click the Enter Key button in the Pre-Shared Key dialog 
box. Then enter the Firewall's Shared Secret in the 
Pre-Shared Key field and click OK. 

Configuring the VPN Client Authentication Proposal 

1 Double click Security Policy in the Network Security Policy 
box to display Authentication and Key Exchange. 

2 Double click Authentication. Then select Proposal 1 below 
Authentication. A window similar to Figure 1 8 displays. 

Figure 18 Authentication Proposal 1 Window 
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3 Select Pre-Shared key in the Authentication Method menu. 

4 Select DES or 3DES in the Encrypt Alg menu, depending on 
which encryption method you chose in the Firewall Security 
Association. 

5 Select MD5 in the Hash Alg menu. 

6 Select Unspecified in the SA Life menu 

7 Select Diffie-Hellman Group 1 in the Key Group menu. 

Configuring a VPN Client Key Exchange Proposal 

1 Double click Key Exchange in the Network Security Policy 
box. Then select Proposal 7 below Key Exchange. A 
window similar to Figure 19 displays. 



Figure 19 Key Exchange Proposal 1 Window 




2 Select Unspecified in the SA Life menu. 

3 Select None in the Compression menu. 

4 Check the Encapsulation Protocol (ESP) checkbox. 

5 Select DES or 3DES in the Encrypt Alg menu, depending on 
which encryption method you chose in the Firewall Security 
Association. 

6 Select MD5 in the Hash Alg menu. 

7 Select Tunnel in the Encapsulation Method menu. 
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8 Leave the Authentication Protocol (AH) checkbox 
unchecked. 

Saving Firewall VPN Client Settings 

Select Save Changes in the File menu in the top left corner 
of the Security Policy Editor window. 

After completing the VPN client configuration, the 
administrator may securely manage the remote Firewall by 
entering the Firewall LAN IP Address in a browser on the 
computer running the VPN client software. 

The Firewall VPN Client may also access remote resources 
by locating servers' or workstations' by their remote IP 
addresses. 

Configuring a Manual Key VPN Client 

Manual Key Configuration requires the exchange of 
pre-shared encryption and authentication keys. Each 
manual Key Security Association (SA) allows 64 VPN clients 
to share the same configuration, because Manual Key 
Configuration supports multiple SAs, it establishes greater 
control over remote users. 

The OfficeConnect Internet Firewall may support up to 10 
VPN clients, but the number of simultaneous VPN client 
connections will be limited to the WAN connection speed, 
the encryption speed of the Firewall, and the amount of 
traffic through each VPN tunnel. 

1 First, configure the Firewall to connect to the VPN client. 
Click the button labeled VPN on the left side of the browser 
window and then click the tab labeled VPN Summary at the 
top of the window. A window similar to Figure 20 displays. 
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Figure 20 VPN Summary Window 




STATUS: 



2 Check the Enable VPN checkbox and assign an 
alphanumeric name for the Firewall in the Unique Firewall 
Identifier field. The Unique Firewall Identifier may range 
from 4 to 32 characters in length. 

3 Leave the Disable all Windows Networking (NetBIOS) 
broadcast checkbox unchecked to allow Windows 
Networking (NetBIOS) broadcasts to pass across some or all 
VPN SAs. 

Windows Networking (NetBIOS) broadcasts may be 
transmitted between two VPN gateways but are not passed 
to the Firewall VPN Client. 

4 Click the Update button. The operation will take a few 
seconds to complete. Once completed, a message 
confirming the update displays at the bottom of the Web 
browser window. 

5 Click the VPN Configure tab at the top of the screen. 

6 Create a new Security Association by selecting Add New SA 
from the Security Association menu on the Configure page. 

7 Select Manual Key from the IPSec Keying Mode menu. 

8 Enter a descriptive name that identifies the VPN client in 
the Name field, such as the client's location or name. 
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9 Leave the Enable Windows Networking (NetBIOS) 

broadcast checkbox unchecked because the Firewall VPN 
Client will not transmit Windows Networking (NetBIOS) 
traffic. 

10 Leave the Destination Subnet Mask for (NetBIOS) 
broadcast, Destination Address Range Begin, Destination 
Address Range End, and IPSec Gateway Address fields 
blank. 

1 1 Define an Incoming SPI and an Outgoing SPI. The SPIs are 
hexadecimal (0123456789abcedf) and may be up to 8 
characters in length. 

1 2 Select Encrypt and Authenticate (ESP DES HMAC MD5) for 
DES encryption or Strong Encrypt and Authenticate (ESP 
3DES HMACMD5) for 3DES encryption. 

13 Enter a 16 character hexadecimal encryption key in the 
Encryption Key field. Enter either a 1 6 character or 48 
character hexadecimal encryption key in the Encryption 
field for DES and 3DES respectively. 

14 Enter a 32 character hexadecimal authentication key in the 
Authentication Key field. 

15 Click the Update button once all the fields are completed. 
The operation will take a few seconds to complete. Once 
completed, a message confirming the update displays at 
the bottom of the Web browser window. 

16 Restart the Firewall for changes to take effect. 

Launching the Firewall VPN Client 

1 Select SafeNet Soft-PK from the Windows Start menu and 
select Security Policy Editor, or double-click the icon in the 
Windows Task Bar to launch the VPN client. 

2 Select New Connection in the File menu at the top of the 
Security Policy Editor window. A window similar to 
Figure 21 displays. 
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Figure 21 New Connection Window 




the desired security policy name. 

Configuring VPN Security and Remote Identity 

1 Select Secure in the Connection Security box on the right 
side of the Security Policy Editor window. 

2 Select IP Subnet in the ID Type menu. 

3 Type the Firewall LAN's IP Address below the ID Type menu. 

4 Type the Firewall LAN's Subnet Mask in the Port field. 

5 Select All in the Protocol menu to permit all IP traffic 
through the VPN tunnel. 

6 Check the Connect using Secure Gateway Tunnel 
checkbox. 

7 Select IP Address in the ID Type menu at the bottom of the 
Security Policy Editor window. 

8 Enter the Firewall WAN's IP Address in the field below the 
ID Type menu. Enter the LAN IP Address if Standard Mode is 
enabled. 
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Configuring VPN Client Security Policy 

1 Double-click New Connection in the Network Security 
Policy box on the left side of the Security Policy Editor 
window. My Identity and Security Policy appear below New 
Connection. 

2 Click Security Policy in the Network Security Policy box. A 
window similar to that shown in Figure 22 displays. 



Figure 22 Security Policy Window 




3 Select Use Manual Keys in the Select Phase 1 Negotiation 
Mode box. 



Configuring VPN Client Identity 

1 Click My Identity in the Network Security Policy box on the 
left side of the Security Policy Editor window. A window 
similar to that shown in Figure 23 displays. 

2 Choose None in the Select Certificate menu on the right 
side of the Security Policy Editor window. 

3 Select IP Address in the ID Type menu. 

4 Leave the Enable Perfect Forward Secrecy (PFS) checkbox 
unchecked. 

5 Check the Enable Relay Detection to redisplay auditing 
messages. 
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Figure 23 My Identity Window 



EE 




6 Select the adapter you use to access the Internet in the 
Internet Interface box. Select PPP Adapter in the Name 
menu if you have a dial-up Internet account. Select your 
Ethernet adapter if you have dedicated Cable, ISDN or DSL 
line. 



Configuring VPN Client Authentication Proposal 

1 Double click Security Policy in the Network Security Policy 
box to display Authentication and Key Exchange. Then 
double click Authentication. 

2 Select Proposal 7 below Authentication. A window similar 
to that shown in Figure 24 displays. 

3 Select Pre-Shared key in the Authentication Method menu. 

4 Select DES or 3DES in the Encrypt Alg menu, depending on 
which encryption method you chose in the Firewall Security 
Association. 

5 Select MD5 in the Hash Alg menu. 

6 Select Unspecified in the 5A Life menu. 

7 Select Diffie-Hellman Group 1 in the Key Group menu. 
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Figure 24 Proposal Window 
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Configuring VPN Client Key Exchange Proposal 

1 Double click Key Exchange in the Network Security Policy 
box. Then select Proposall below Key Exchange. A window 
similar to Figure 25 displays. 

Figure 25 Key Exchange Window 
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2 Select Unspecified in the S/\ Z./7e menu. 

3 Select None in the Compression menu. 
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4 Check the Encapsulation Protocol (ESP) checkbox. 

5 Select Encrypt and Authenticate (ESP DES HMAC MD5) for 
DES encryption or Strong Encrypt and Authenticate (ESP 
3DES HMACMD5) for 3DES encryption. 

6 Select MD5 in the Hash Alg menu. 

7 Select Tunnel in the Encapsulation menu. 

8 Leave the Authentication Protocol (AH) checkbox 
unchecked. 

Configure Inbound VPN Client Keys 

1 Click the Inbound Keys button. An Inbound Keying 
Material box similar to Figure 26 appears. 



Figure 26 Inbound Keys Window 




2 Click the Enter Key button to define the encryption and 
authentication keys. 



3 Type the Firewall's Outgoing SPI in the Security Parameter 
Index field. 

4 Select Binary in the Choose key format options. 

5 Enter either a 16 or 48 character Encryption Key in the ESP 
Encryption Key field for DES or 3DES respectively. 

6 Enter Firewall's 32 character Authentication Key in the ESP 
Authentication Key field then click OK. 
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Configuring Outbound VPN Client Keys 

1 Click the Outbound Keys button. An Outbound Keying 
Material box similar to Figure 27 displays. 

Figure 27 Outbound Keys Window 




2 Click the Enter Key button to define the encryption and 
authentication keys. 

3 Type the Firewall's Incoming SPI in the Security Parameter 
Index field. 



4 Select Binary in the Choose key format options. 

5 Enter Firewall's 1 6 character Encryption Key in the ESP 
Encryption Key field. 

6 Enter Firewall's 32 character Authentication Key in the ESP 
Authentication Key field and then click OK. 

Saving Firewall VPN Client Settings 

Select Save Changes in the File menu in the top left corner 
of the Security Policy Editor window. 

After saving the VPN client configuration, the administrator 
may securely manage the remote Firewall by entering the 
Firewall LAN IP Address in a browser on the VPN client host 
computer. The VPN Client will be able to access remote 
resources by locating servers' or workstations' by their 
remote IP addresses. 
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Using OfficeConnect Internet Firewall with Check Point 
Firewall-1 

The most common solution to prevent unwanted Internet 
access is to fortify the enterprise network against hackers. 
Often a Firewall is used at the main entrance of the 
enterprise network, but that is not always enough. 
Although the "front door" may be secure and monitored, 
other portals may not be protected as well. Remote offices 
are often susceptible and place their data and application 
availability at risk by providing an unguarded "back door" 
into the network. 

Similar technologies are used to protect alternative portals 
on an enterprise network, remote networks and to isolate 
internal segments of a large network from internal threats. 
Thus it is possible to have firewalls as portals and use 
Virtual Private Networks (VPNs) between the enterprise 
network and remote offices. 

A VPN provides a secure, encrypted path over the Internet. 
A VPN should be required for accessing any non-public 
information over the Internet. Since VPN standards are still 
evolving, different vendor's implementations are not 
always fully interoperable. Ideally, a firewall should be 
adaptable to support all of the VPN products it may 
encounter, but not all do. 

The VPN features of the OfficeConnect Internet Firewall 
provide interoperability with many different vendors. 
However, a common VPN firewall solution is provided by 
Check Point Firewall-1 . This technical note details the steps 
required to configure the IRE VPN Client and the 
OfficeConnect Internet Firewall to work with Check Point 
Firewall-1 . 



Using OfficeConnect Internet Firewall with Check Point Firewall-1 
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Configuring the IRE VPN Client 

Launch and log into the SafeNet Soft-PK Security Policy 
Editor application. 

1 Check the existing Firewall object and make sure the 
Encryption Domain includes all objects for any encryption 
methods in use. Go to the Encryption tab and make sure 
the Manual IPSEC encryption algorithm is selected for 
Firewall VPN. If SecuRemote is used, FWZ must also be 
selected. 

2 Create the Remote Object(s). These are the resources 
behind the remote Firewall (Workstations, Network or 
Group Objects). Refer to the following example: 

a From the Manage menu select Network Objects. 

b Press the New button and select Network. 

c Give the Network Object a unique name: (For example, 
"Firewall-Network") 

d Give the Network Object an IP Address Range: (For 
example, "10.1.1.0") 

e Give the Network Object a Subnet Mask: (For example, 
"255.255.255.0)" 

f Give the Network Object a Comment (optional) 

g Select External for the Location Option 

h Press the OK button when finished. 

3 For easier management, you should create a group and 
place all objects that are protected by the remote Firewall in 
that group. To do this: 

a Press the New button and select the Group option. 

b Give the Group object a unique Name 
("Encrypt-Firewall") 

c Give the Group object a Comment (optional) 

d Select the objects that are behind the remote Firewall 
and Add to the group. 

e Press the OK button when finished. 
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4 Create a remote Firewall object. To do this: 

a Press the New button and select the Workstation option. 

b Give the workstation object a unique name (For 
example, "Firewall-Remote"). 

c Give the workstation object the external IP address of 
the Remote Firewall (For example, "111.111.111.111 "). 

d Give the workstation object a comment (optional). 

e Select External for the Location. 

f Select Gateway for the Type. 

g Leave the Firewall-1 Installed box unchecked. 

h Go to the Encryption Tab. Select the Other radio button 
and select the Group or Network the Firewall will be 
encrypting for. 

i Select the encryption method Manual IPSEC. 

j Press the OK button when finished. 

5 Create the SPI key(s) needed to synchronize encryption 
algorithms. To do this: 

a From the Manage menu select the Keys option. 

b Press the New button and select SPI. 

c Give the SPI value a unique hexadecimal value. 

d Give the SPI key a comment (optional). 

e Check the ESP box and select DES as Encryption 
Algorithm. 

f Make sure that the AH box is unchecked, (ignore any 
warning). The Authentication Algorithm field should be 
grayed out. 

g Enter an Encryption Key (must be 16 hexadecimal 
characters). The Authentication /Cey field should be 
grayed out. 

The Encryption Key and SPI Key number must match the 
settings on the remote Firewall for the VPN to work. 
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6 Now you must create a rule to allow the Check Point 
Firewall to exchange IPSEC packets with the remote 
Firewall. To do this: 

From the Edit menu, select Add Rule. 
This rule should be added below any Client VPN rules (for 
SecuRemote to work properly) and above the normal 
resource access rules. The rule should contain both Firewall 
objects (Check Point Firewall-1 and Firewall), the services 
should be IPSEC group and it should be Accepted. Logging 
is optional and should be used to debug any problems. 

7 Next you need to add a rule to allow the two 
networks/groups to send encrypted data to each other. 
This rule should follow right after the Firewall IPSEC packet 
exchange rule. The rule should contain both the local 
network/group with the remote network/group. You can 
limit the services that are allowed to traverse the VPN 
tunnel. The action for this rule should be "Encrypt." 

8 Right click the Encrypt action and select Edit Properties. 

9 Select the Manual IPSEC and the Logging radio buttons. 

10 Press the Edit button. Select the SPI Key for this VPN 
Tunnel. 

11 Press the OK button when finished with the IPSEC 
properties and press the OK button when finished with the 
Encryption properties. 

12 From the Policy menu, select Install to activate the security 
policy. The VPN tunnel will function once the remote 
Firewall has been configured with a corresponding security 
association. 
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Configuring the OfficeConnect Internet Firewall 

1 Go to the VPN Configure screen in the Firewall 
management interface. Create a Firewall Security 
Association, using manual key encryption, and name it 
Check Point (any name will work). 

2 Enter a valid destination address range (referring to the 
LAN behind Check Point). Specify the Check Point's 
external address as the IPSec Gateway address. 

3 Select the Encryption Method Encrypt for Checkpoint (ESP 
DES rfc1829). Make sure the Encryption Key and the SPIs 
match the values specified in the Check Point screens (The 
Firewall doesn't need the 'Ox' prefixes to denote 
hexadecimal fields like the Check Point does). There is no 
need for an authentication key. 
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Update the screen and restart Firewall to activate the VPN 
configuration. 



Technical Support 



3Com provides easy access to technical support information 
through a variety of services. This appendix describes these 
services. 

Information contained in this appendix is correct at time of 
publication. For the most recent information, 3Com 
recommends that you access the 3Com Corporation World 
Wide Web site. 



Online Technical Services 

3Com offers worldwide product support 24 hours a day, 
7 days a week, through the following online systems: 

■ World Wide Web site 

■ 3Com Knowledgebase Web Services 

■ 3Com FTP site 

World Wide Web Site 

To access the latest networking information on the 
3Com Corporation World Wide Web site, enter this URL 
into your Internet browser: 

http : / /www . 3com . com/ 

This service provides access to online support information 
such as technical documentation and software, as well as 
support options that range from technical education to 
maintenance and professional services. 
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3Com Knowledgebase Web Services 

This interactive tool contains technical product information 
compiled by 3Com expert technical engineers around the 
globe. Located on the World Wide Web at 

http://knowledgebase.3com.com, this Service gives all 

3Com customers and partners complementary, 
round-the-clock access to technical information on most 
3Com products. 

3Com FTP Site 

Download drivers, patches, software, and MIBs across the 
Internet from the 3Com public FTP site. This service is 
available 24 hours a day, 7 days a week. 

To connect to the 3Com FTP site, enter the following 
information into your FTP client: 

■ Hostname: ftp.3com.com 

■ Username: anonymous 

■ Password: <your Internet e-mail address> 

You do not need a user name and password with Web 
browser software such as Netscape Navigator and 
Internet Explorer 



Support from Your Network Supplier 

If you require additional assistance, contact your network 
supplier. Many suppliers are authorized 3Com service 
partners who are qualified to provide a variety of services, 
including network planning, installation, hardware 
maintenance, application training and support services. 

When you contact your network supplier for assistance, 
have the following information ready: 

■ Product model name, part number, and serial number 

■ A list of system hardware and software, including 
revision levels 

■ Diagnostic error messages 

■ Details about recent configuration changes, if applicable 

If you are unable to contact your network supplier, see the 
following section on how to contact 3Com. 
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Support from 3Com 

If you are unable to obtain assistance from the 3Com online 
technical resources or from your network supplier, 3Com 
offers technical telephone support services. To find out more 
about your support options, call the 3Com technical 
telephone support phone number at the location nearest you. 

When you contact 3Com for assistance, have the following 
information ready: 

■ Product model name, part number, and serial number 

■ A list of system hardware and software, including 
revision levels 

■ Diagnostic error messages 

■ Details about recent configuration changes, if applicable 

Here is a list of worldwide technical telephone support 
numbers. These are correct at the time of publication. Refer 
to the 3Com Web site for updated information: 



Country 


Telephone Number 


Asia Pacific Rim 




Australia 


1 800 678 515 


Hong Kong 


800 933 486 


India 


+61 2 9937 5085 or 




000800 650111 


Indonesia 


001 800 61 009 


Japan 


03 5783 1270 


Malaysia 


1800 801 777 


New Zealand 


0800 446 398 


Pakistan 


+61 2 9937 5083 


Philippines 


1235 61 266 2602 


P.R. of China 


10800 61 00137 or 




021 6350 1590 or 




0800 0638 3266 


Singapore 


800 6161 463 


S. Korea 


00798 611 2230 




02 3455 6455 


Taiwan, R.O.C. 


0080 611 261 


Thailand 


001 800 611 2000 


Europe, Middle East and 




Africa 




From anywhere in these 


+44 (0)1442 435529 phone 


regions, call: 


+44(0)1442 436772 fax 
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Country 



Telephone Number 



Europe and South Africa 

From the following countries, you may use the toll-free numbers: 

Austria 0800 297468 

Belgium 0800 71429 

Denmark 800 17309 

Finland 0800 113153 

France 0800 917959 

Germany 0800 1821502 

Hungary 06800 12813 

Ireland 1800 5531 17 

Israel 1800 9453794 

Italy 800 8 79489 

Luxembourg 0800 3625 

Netherlands 0800 0227788 

Norway 800 11376 

Poland 00800 3111206 

Portugal 0800 831416 

South Africa 0800 995014 

Spain 900 983125 

Sweden 020 795482 

Switzerland 0800 55 3072 

U.K. 0800 966197 



Latin America 

Brazil 
Mexico 
Puerto Rico 

Central and South America 



0800 13 3266 
01 800 849CARE 
800 666 5065 
AT&T +800 998 2112 



North America 



1 800 NET 3Com (1 800 638 3266) 

Enterprise Customers: 
1 800 876-3266 



